Logon question (...and I have RTM)

[Guest Adam Sandler]

Hello,

 

We have a domain of W2K3 R2 servers and XP SP2 clients. Auto updates

are off (although we do update manually). Up until 4 days ago, there

were no problems seen with logging on remotely with mstsc.exe.

 

This morning when I tried to use mstsc to logon to one of the clients,

I got a "The local

policy of this system does not permit you to logon interactively"

error popup.

 

I checked the domain GPO and it has "Allow logon through terminal

services" set to domain admins, domain users, and remote desktop users

listed. For "log on locally" it has domain admins and domain users

listed.

 

Here's where I get really perplexed...

 

On the previously mentioned client, I can log on locally with the same

account which I got rejected with using mstsc. That's right,

everything else being equal, if I'm sitting in front of the keyboard,

I can access the system. If I try to do the same thing via mstsc, I

get the interactive logon popup error. Again, the username I tried

was the same for both attempts and that user is also member of the

remote desktop users group.

 

So when I did access the desktop, sitting in front of the host, I

wanted to verify some settings. I selected My Computer | Properties |

Remote tab and where the button for selecting remote users is, there

is a message which says "domain\user already has access." The

checkbox for "Allow users to connect remotely to this computer" is

indeed checked.

 

I also opened up gpedit.msc from the desktop to verify the domain GPO

settings were indeed making it over to the clients.

 

What else can I verify -- to make sure the needed settings are

correct? What additional things could I be missing? Suggestions on

how to get remote logons working again are greatly appreciated.

 

Thanks!

[Guest Bas H.]

RE: Logon question (...and I have RTM)

 

Please double check this on the local PC (not domain GP):

 

Make sure that the Remote Desktop Users group has sufficient permissions to

log on through Terminal Services. To do this, follow these steps:

1. Click Start, click Run, type secpol.msc, and then click OK.

2. Expand Local Policies, and then click User Rights Assignment.

3. In the right pane, double-click Allow logon through Terminal Services.

Make sure that the Remote Desktop Users group is listed.

4. Click OK.

5. In the right pane, double-click Deny logon through Terminal Services.

Make sure that the Remote Desktop Users group is not listed, and then click

OK.

6. Close the Local Security Settings snap-in.

 

Cheers,

Bas H.

[Guest Adam Sandler]

Re: Logon question (...and I have RTM)

 

On Dec 11, 12:57 pm, Bas H. <B...@discussions.microsoft.com> wrote:

 

Thanks for the reply!

> Please double check this on the local PC (not domain GP):

> 5. In the right pane, double-click Deny logon through Terminal Services.

> Make sure that the Remote Desktop Users group is not listed, and then click

 

That was the culprit... somehow, the Everyone group got put in here!

 

So I obviously took that out and now mstsc works. A follow up

question if I may... how come the GP doesn't override this setting???

If memory serves me correctly, as recently as W2K, domain policy

objects were the preferred setting over their local counterparts.

 

Thanks again!

[Guest Bas H.]

Re: Logon question (...and I have RTM)

 

Het is a local setting to allow to logon through Terminal Services.